Slashdot Mirror
Understanding NFS
LiquidPC writes: "ONLamp.com's Big Scary Daemons section has yet another great new BSD article, this one on Understanding NFS and using it in FreeBSD."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
RMS's sister?
Here's a printer and human friendly version, for those of you, who don't like half-screen animated ads inside the text you try to read.
~shiny
WILL HACK FOR $$$
I'm appalled that he considers IP address matching to be a way of preventing abuse. Sure, his cable modem is a separate interface so he can use a firewall to block it. But what if you're on a large untrusted LAN and you want to share files between two machines? I have exactly this problem (I have a laptop and a desktop at university) and I'm still looking for a simple yet secure way to share between them without allowing anyone to just spoof the IP address (and preferrably without transmitting my secret plans for world domination over the wire in the clear).
Is it just me, or is NFS an acronym for No Fucking System?
Seriously, I'm doing a journaled database file system that runs way better than some old dog FS which has had it's day.
Any suggestions for Kauri would be good, it's a grid file system with CVS like features.
All Your BSD Are Belong To Us!
- Kaos games and encryption systems developer
Amazing enough, BSD had working NFS, what, almost
20 years ago? And now the true blue BSD unix
you have come to know and love is freely available
to run on your PC.
Second, if you export NFS to the world, you're insane and deserve what you get. If you want remote filesystem access, use a secure protocol like the Self-Certifing Filesystem (SFS). SFS also avoids completely the problem of having a shared UID space.
Finally, his advice to mount your filesystems intr is good. But insufficient - also mount them soft, so that filesystem calls will eventually timeout if the server goes poof.
Pre-planning is useful, as always
"It is a greater offense to steal men's labor, than their clothes"
I don't think this article qualifies as "understanding nfs". NFS is a hairy beast, and all this does is get you started from the userland point of view. What makes nfs so hairy is the numerous ways it can fail or at least not do what you expect.
-Peter
== Just my opinion(s)
I've been looking on Google for about ten minutes for information about NFS I could understand and, just sort of a broad overview of it. Always something germane and informative on Slashdot ;).
1. It's difficult to find a good Windows based NFS client. I was using time limited demo clients for an educational setting and they would cause all sorts of problems like locking up of Win95 - yeah I know, its probably Win95. How has it changed for Windows now?
2. I had a big security concern that anyone who had a laptop with Unix loaded and running nfsclient would be able to log in with root privileges. You needed root access on the client not on the server and then you could su to any user.
I can see now that with the widespread use of DHCP servers, that restricting access to IP addresses won't work.
There is already stuff about NFS! The NFS HOWTO can be found at http://nfs.sourceforge.net/nfs-howto/
What's that? slashdot for dummies? What will it me next? -- link to step-by-step manual of XFree86 configuration for matrox G200 PCI card? Nah, XF86Config is too complex, probably walkthrough on changing display resolution in winXP will be next. go-jenny-go!
Just a tip... by default, FreeBSD uses conservative NFS mounting options. Note that these work well when trying to interoperate with other Unixes; everybody speaks the lowest common denominator. You can use mount options to augment NFS performance but reduce interoperability somewhat. These options aren't necessary when you're working with one or two clients, but as your NFS installation grows, you'll find them helpful. They may or may not work with other operating systems; it depends on what those OSs support.
At the risk of feeding the trolls...
My firm uses openBSD extensively as a firewall. Where Linux is flexible and versatile, *BSD is more logically put together and better documented. The clear advantage to *BSD, however, is security. Nothing can touch it.
They should have started at the beginning so we could better appreciate the narrative thread Even the ones that are done are not in chronological order - Pauling probably arranged them loosely by subject. E.g. 35b has entries from 1938-1939, 1946, 1955, 1968 and 1986-1988 and seems to be about a textbook, aluminium and cancer 44 is 1991-1994 and has lots of heavy metal stuff. 46 is 1967-1972 and contains stuff about transition metals and loads of misc stuff. It's going to take a while to read his handwriting :-)
NFS has a long history of insecurities.(Link takes a little while to load...)
Also in the article he claims: "You can reboot a server and the client won't crash." Maybe not crash but at least with Solaris (in my experience) you hang the entire system during the reboot. Sometimes it comes back and sometimes it doesn't.
For a secure alternative that runs on *BSD/Solaris/Linux w/(2.4 Kernels) try out:
Self-Certifying Filesystem.
The authors do warn that it is in alpha stage but also claim they have never lost a file. VERY cool project.
And of course as the OpenBSD Journal has noted, SysAdmin Mag is running an article on Tunneling NFS over SSH.
Comments about /etc/exports... /etc/exports would be incompatible with that from any other Unix."
/etc/exports? Of course you can have seperate directories from the same partition on different lines!! In the man page they have an example of it! Plus there is this comment lifted directly from the FreeBSD 4.5 man page for /etc/exports.
"There are no identifiers between the components of the line. Yes, it would be easier to read if we could put each shared directory on its own line, but we can't; they're all on the same partition. The FreeBSD team could rewrite this so that it had more structure, but then our
What?!?! Did this guy even read the man page for
"Mount points for a filesystem may appear on multiple lines each with different sets of hosts and export options."
Michael's articles are usually of excellent quality, but I can't believe how many other mistakes he's made! The article is written to familiarize a "junior" sys admin to NFS, but only teaches them bad habits. Hopefully he'll do a little more research for his future articles.
I've spent quite some time trying to find a nfs client for windows. Does such a beast exist?
I've found more than enough shareware/etc... but have been unable to find a open source solution.
Does anyone know of a free nfs client for windows?
I haven't had any SFS problems for over 6 months, since 0.5i. But the notice is correct - your mileage may vary, and use with caution. I've seen SFS tickle bugs in the Linux NFS implementation, but the latest Linux NFS support is much improved over 2.2. On Open/FreeBSD, it's quite solid, IMHO.
For further info, browse the SFS-users mailing list. It's a good way to get a feel for the issues involved in running SFS.
(Obligatory disclosure: I'm not one of the developers, but my office is across the hall).
..this intro to NFS is kinda light for /. Understanding NFS -- I believed I was going to be reading about the gushy internal stuff that goes on but in layman terms, but rather, I found stuff that any *nix admin here on /. has known for years. Don't slip. First, that horrible reference to that horrible Google ad-words article, then this.
NFS rocks. Coming from the PC world, I was shocked when I discovered how long this useful standard has been around, and how compatible the implementations are... A little while ago I added an old SGI Indy to my Linux network. I tried mounting my primary NFS share on it, expecting to spend several hours troubleshooting in IRIX before it would work. And whaddya know, it came up perfectly the first time =).
For those who are interested in a more secure NFS, i found an interesting article about encypted NFS (via openssh) It's a good read, and really interesting! Unfortunately it's written for Linux, but it's easy to adapt it to *BSD. Check it out here!
Life sucks.
The article makes quite an interesting read. I enjoyed reading it, and if you want even more information, read this.
As we all know pointers make code insecure.
and *your* mother. and your mother's mother.
but, you knew that.
ha ha ha, and ha.
you congenital moron... surprised you could dig out from under your rock long enough to post your semi-literate garbage.
eat McShit and die. thanks.
You guys are in exactly the same position I was in (and partially still am) a year ago.
/. at 4a.m. on a Sat. night should answer that question... no, I don't, and never have had one. :( Although I've been "friends with benefits" with a few girls here and there, but that's not the same thing. I'd like to find love, but I have higher priorities at the moment.
:)
:)
I went to a large midwestern engineering school in the middle of a cornfield for a CS degree (if I mention the name, there are people possibly reading who will know who I am and I'd like to avoid that; suffice it to say that it's on roughly the same level of quality and reputation as U of I-Champaign). I did practically nothing but download warez and porn and DivX's and post to various message boards. I spent nearly every weekend night in my dorm, doing all this.
Meanwhile, my roommate and his gf were out with a bunch of friends having fun, or watching a DivX in our room, or having sex behind my back in his bed...
Meanwhile, I had no inclination (as a freshman no less) to do any homework whatsoever.
To say I was depressed would be an understatement - I was seriously considering suicide (nobody else knew I was considering it though - I knew if I mentioned it to anybody I'd be locked away in the loony bin) by the time I left the school with a near-failing GPA.
But I decided to see where life would take me. And while it hasn't been easy or fun, and frankly a it's been a total PITA and humiliation trip, it's been good for me.
I started off going to work for a Linux startup that went bankrupt not long after 9/11, thinking the real world would be better. In some ways, it was (some adults are actually pretty cool), but in other ways, it sucked far far worse than college (waking up at 5a.m. to catch a train, then coming home on the train at 6p.m. sucks ass!). We were eventually all laid off, so I decided to go back to school at a community college.
So what happens? I took a full semester's worth of work in half the time -- and got straight A's doing it! Granted, 1/4 of the credit I was taking was total bullshit (like "intro to the Internet" - oh no!), but the other 3/4 of the credit was roughly 50-90% as difficult as in a real university. I was shocked to find out how well I'd done.
This semester, at the same CC is much the same, although I suck at math *badly*, and so I'm likely going to drop and retake Calculus2, seeing as there's no penalty for dropping classes like there were at the big Uni. Otherwise, my grades are quite good once again.
Do I have a girlfriend? Well, the fact that I'm posting on
What's my current attitude for success? Forget finding women at a community college, because they really are as stupid as the imbeciles you remember from high school, and concentrate on working hard and focusing on the homework at hand.
After all -- if you can't make it at a CC, quite honestly, you're not gonna make it anywhere else. Fortunately, CC's are nearly as easy as high school.
Summary: Forget the women until your grades come up. You won't be able to take care of the women or make them happy (with money typically) until you have the degree that says you deserve big bucks anyway, so that might as well be your primary focus. You gotta think like the A-Team -- there's *always* a solution to every problem, and it feels great when "a plan comes together."
So make a plan -- I planned to go to school, but a decent job offer came up so I took it, but that failed so I went back to school after seeing RL sucks, and was more motivated than ever before in my entire life, mainly because I had nothing left to lose.
Although, there is a LOT to be said for getting women now, because someday, it really *is* going to be too late.
Basically, life sucks, it's true, and don't ever forget it. But at the same time, try to channel your depression and anger at the hand life has dealt you into something productive. You wouldn't believe just how effective a strong "fuck the world" attitude - properly channeled of course - can be at being at least academically successful (and it actually helped me meet a nice girl, but unfortunately our interests are total opposites (she hates computers and I *live* for computers), so nothing really is resulting from it).
The worst part about all of what I've said is this: you won't realize I'm right until you've experienced all this failure yourself. Trust me on this one, that's exactly what I found out.
I can't say I'm a success story yet because I'm not done with my BSCS! But most of the signs are pointing *MY* way now for once! And despite doing poorly in Calc2, overall I've rarely felt better in my life.
I, for one, am glad I stopped short of taking my dad's shotgun to my head... And it didn't require going to a psychologist to avoid either, so I have no record of mental illness (nobody's gonna hire somebody who's been found insane! Partially or otherwise...). It's just a matter of "getting root" on your brain and controlling your psyche, willpower, and determination. And believe it or not, I did it using no other drugs than the very occasional (once every couple of months) use of alcohol; no other drugs necessary. And the best part, is that I did it all on my own, with no more help than monetary support from my parents... And you can too.
Seriously, don't give up just yet guys.
*BSD may be dying, but you guys don't have to...
[Sorry about length, BTW, but this has become a very deep-seated issue with me, as you can tell, and I absolutely HATE to see people fail or get depressed for the same reasons I was.]
The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shround over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.
This is from a link I saw on LinuxToday last week
:)
Run SSH to set up a port forwarding "tunnel" and then run NFS through it so that all traffic will be encrypted. It will slow down performance but it's better than living in fear!
http://www.samag.com/print/documentID=22157
P.S. SSH rules!!!
- security. If you run it (and yes it can be convenient to have, say, all your mp3 files accessible from every client on your local net) then do so behind a big fat firewall.
:-)
- stability. Notably you shouldn't use softupdates on an NFS export or sooner or later you're going to see panics.
- performance. Is awful. Even copying through scp is faster than NFS.
In short, NFS has its merits but for anything serious or anything in an unprotected network zone I'd definately vote against it.
Strange BTW that the article doesn't mention the AMD (auto mount daemon). While I personally found it hideous its worth mentioning that one can have their shares auto mounted and unmounted on demand.
Last point: NFS was thought up by Sun. What were we expecting anyway
"You can reboot a server and the client won't crash. It won't be able to access files on the server's export while the server is down, but once it returns, you'll pick up right where things left off. Other network file sharing systems are not so resilient."
From regular personal experience, I can state that NFS is hardly so robust under HPUX.... Is BSD really this foolproof?
I had alot of fun with NFS during my Univerity years. Sure it has some nice features as it's lightning-fast and stateless but it's totally unsecure, period.
The NFS server has two parts, the authentication part and the data-server part. The authentication part authenticates based on the IP address of the requester, if successful, it will send the requester the 'key' for the export.
After that, anybody can use that key to request files from the data-server part. And from any IP address!!
There exist a very nice ftp-like tool that lets you play with NFS systems, enter the key manually or use the UID overflow bug to get root privs. And this is only the beginning of the fun !!
Trust me, "Don't use NFS" unless you are running it on a network that is not connected to the rest of the world, and you trust everyone that has access to this network.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
At one point I was planing on installing FreeBSD along side slackware linux. The installation was much too tedious however.
that's font, cockmaster
If you graduated HS in 98 that makes you 22 or so? No way is that too old to go to college. Hell, as the only freshman old enough to buy beer you'd probably be the most popular guy in the dorm.
...wearing a skin-tight topless leather jumpsuit, with cutaway buttocks and transparent crotch panel.
Click here or here.
Our experience is that on Solaris, if you have an NFS mount that has a failed (offline) server, you will not get an SSH login prompt. OpenSSH apparently scans the file system before providing the prompt, and since it is waiting for NFS to return the mount's info, it never gives the prompt. Would mounting partitions 'soft' fix this?
Yes.
These Windows NFS clients are typically over $300 per seat - which is simply insane. Is there a high quality NFS client for Windows under $100?
Samba is good, but it has to run on the (UNIX) machine that can see the native file system. I'd like to bypass Samba and have the Windows clients talk to NFS directly.
The article is correct; only mountpoints (and not subdirectories) can be entries in /etc/exports. From the `exports' man page (emphasis mine):
Furthermore, the only example given in the man page explicitly identifies the directories listed as mountpoints.
Please don't moderate up comments that sound informational without actually checking your facts first.
Dewey, what part of this looks like authorities should be involved?
Personally I recommend never using NFS. Heck, I wrote a paper about it. It's a bit old, and doesn't cover NFSv4. But of course, NFSv4 doesn't address the basic issue of using the wrong model for the problem, so that's not a big deal. :)
re uid/username: mea culpa.
My original title on this piece was "Introduction to NFS". To the best of my knowledge, ten people in the world truly, deeply understand NFS. Six have won Nobel Prizes, three are in the Institute for the Criminally Insane, and one is not allowed sharp objects and drools on himself a lot. O'Reilly does not seem to like my original titles... ah, well.
Finally, if Slashdot was going to pick up one of my articles... why, my God, did they choose this one? There are many far more interesting and informative Big Scary Daemons out there... take a look at "Linux Emulation, the Hard Way" for one I'm especially proud of. Sigh. Obviously, they don't want the editorial standard to go above that maintained by other Slashdot authors...
There has always been a problem that NFS was compatable across OS'es, but only SunOS/Solaris respected file locks held across the network (via lockd) - is this still the case?
Well, just because you can do something, it doesn't mean you should. NFS doesn't export directories--NFS exports filesystems. If you have a FS mounted on /share, and you export /share/somedir, you've actually exported all of /share, even though you may not realize it.